EU Announces Guidelines to Standardize Cloud Computing Agreements


In an effort to meet one of the key objectives of the European Union's Cloud Computing Strategy - to develop model terms for cloud computing contracts, including service-level agreements - an industry working group that includes major cloud-computing suppliers such as Google, Microsoft, Amazon, and others has submitted guidelines governing Cloud Service Level Agreements (Cloud SLAs) to the European Commission. (For more information on the EU's Cloud Computing Strategy, please read our alert.)

Although the guidelines do not prescribe the content of Cloud SLAs, they do set forth an extensive list of terms - including definitions and descriptions - with the objective of standardizing definitions within the cloud computing industry. The guidelines acknowledge that some Cloud SLAs (particularly those involving large enterprises) may be negotiated individually, while others may be offered in boilerplate form that customers can accept or reject. In either situation, the guidelines are meant to provide consistency in terminology and metrics across agreements and across borders.

In addition to recommending that contracts be technology neutral, business-model neutral, and applicable to users across jurisdictions, the guidelines include a glossary of uniform principles and terms designed to allow customers to evaluate and compare SLAs more effectively. Among the contract terms covered in the guidelines are:

  • Service level objectives. These objectives relate to cloud computing performance, such as service availability, customer support, response time, storage capacity, and termination (ensuring that data is not deleted prematurely).
  • Security level objectives. These objectives seek to "improve both assurance and transparency" concerning such security measures as reliability (including backup/redundancy), encryption, access authentication, and security incident monitoring and reporting.
  • Data management service level objectives. These guidelines standardize terms relating to data classification, life cycle (when data is deleted), and portability.
  • Personal data protection service level objectives. Addressing situations in which the cloud service provider acts as a data processor on behalf of its customer, these objectives seek to ensure that personal data collected by the customer is managed (stored, retained, and potentially released) appropriately and in a manner consistent with applicable privacy regulations.

In its statement announcing the receipt of the guidelines, the European Commission indicated that next steps would include testing these guidelines with users, in particular SMEs, and submitting the guidelines for discussion by the European Commission's Expert Group on Cloud Computing Contracts as part of a larger discussion of other cloud-related activities - including the data protection Code of Conduct for cloud computing providers, which the Expert Group prepared and presented to the Article 29 Data Protection Working Party.

The guidelines will also be presented to the Cloud Computing Working Group of the ISO (the International Standards Organization) in order to present a European position to inform the ISO's effort to establish international standards on SLAs for cloud computing.

Although these guidelines are not yet mandatory, they do signal the EU's view that internationally enforced standards are critical to consumer trust and the ultimate success of cloud services, and that any entity - including those that are U.S.-based - will need to eventually adhere to those standards.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Loeb & Loeb LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.